Shane Huntley and his team have tracked Iranian hackers as they spread disinformation in the U.S., unmasked North Korea’s responsibility for a crippling global computer virus and probed Russians linked to the 2016 hack of the Democratic National Committee.
Mr. Huntley doesn’t work for the National Security Agency or another government spy shop. He heads Google’s in-house counterespionage group, the Threat Analysis Group, which has emerged as an important force in the battle against hackers and a leading example of tech giants building up powerful cybersecurity defenses in an age of rising nation-state hacks.
Staffed partly by former government agents, these groups at companies including Google,
play a central role keeping criminals and spies away from the ocean of personal information online as people rely more on their products.
The tech giants’ access to that data and their huge user networks mean they are in some ways more effective in fighting intrusions than governments, executives say.
Last summer, Mr. Huntley’s team stopped an allegedly Iranian-backed disinformation campaign by pulling dozens of YouTube channels that were using fake accounts to push misleading political stories primarily about the Middle East. Disinformation, especially around elections, is a new focus for Mr. Huntley’s team.
The 27-person team tracks more than 200 hacker groups that pose a threat to Google and its users, analyzing hacking techniques and clues to the groups’ identities to head off attacks. It leverages access to data across widely used Google products like Gmail, with more than 1.5 billion accounts world-wide, and to a database of attack code called VirusTotal managed by another arm of Google-parent Alphabet Inc.
The companies balance cybersecurity protection against other business priorities, and are sometimes reluctant to publicly point the finger at responsible governments. The size of their user bases means the actions they decide to take or not to take can have widespread impact.
Google’s massive data-collection capabilities have long captured the attention of privacy advocates and regulators, but the company faced criticism last year after The Wall Street Journal reported that the company failed to notify consumers of a bug in its Google+ social network that exposed user data. A second Google+ bug, disclosed later, exposed the data of 52 million users.
Mr. Huntley’s team issues about 4,000 warnings a month to Gmail users with accounts where it detects government-backed hackers trying to break in. Google has been criticized by lawmakers and security researchers for not doing enough to stop Russian interference in the 2016 presidential campaign, when Democratic officials such as John Podestahad their Gmail accounts broken into and YouTube was misused by the Russia-backed Internet Research Agency to spread disinformation.
“What we saw in the 2016 election was limited activity, but it was improper,” Google Chief Executive Sundar Pichai said in testimony before the House Judiciary Committee in December. “It’s something we’re working hard to mitigate and avoid.”
Google hired Mr. Huntley, 43, a former hacker with Australia’s Defense Signals Directorate, its equivalent of the NSA, in 2010, months after revealing it had suffered a major cyberattack attributed to Chinese hackers. “Google really needed a well-staffed professional team to deal with the government threats,” he said.
He and other executives who have worked at big tech cyber-threat operations say they can have more impact in the private sector than in government.
“These companies are sovereign authorities inside their products,” said Sergio Caltagirone, a former NSA analyst hired by Microsoft in 2013. Many of his peers felt the same way, he said. “There were a lot of people who had spent close to a decade in government, and everyone was recognizing, ’Yeah, we can’t really do much,’ ” he said.
- Google Exposed User Data, Feared Repercussions of Disclosing to Public (Oct. 8, 2018)
- What Facebook, Google and Twitter Told Congress About Russian Misinformation (Jan. 25, 2018)
- Hacked Emails Show Clinton Links With Democratic Party (Oct. 12, 2016)
- It’s Official: North Korea Is Behind WannaCry (Dec. 18, 2017)
- Google Warns of China Exit Over Hacking (Jan. 13, 2010)
In 2014, Microsoft and other tech companies kicked offline servers used by a group called Axiom that investigators described as hackers-for-hire in China. That was the largest disruption of a state-sponsored hacking effort at the time, said Mr. Caltagirone, now a researcher with the security firm Dragos Inc.
Mr. Huntley’s team displayed its prowess during a strike by North Korean hackers. The team was first to publicly link North Korea to the devastating WannaCry computer-worm outbreak that shut hundreds of thousands of computers globally in May 2017.
As that ransomware attack spread, a researcher named Neel Mehta on Mr. Huntley’s team at Google’s Mountain View, Calif., campus, began running code from the virus though an in-house search engine called DejaDis, which searches through Google’s vast database of computer worms and viruses—a sort of Library of Alexandria of malicious software, with more than two billion samples.
Mr. Mehta saw that the WannaCry worm used a unique way of generating random numbers. He quickly linked that to another virus, called Cantopee, built by a hacking group that security researchers had linked to North Korea.
Google didn’t want to call out North Korea directly; this was the country that had launched a devastating attack on Sony Pictures. But Mr. Huntley and Mr. Mehta found a subtler way to share their findings. Mr. Mehta posted a tweet that, to those in the know, pointed to the shared Cantopee code, showing that WannaCry was likely built not by run-of-the-mill criminals seeking money but by North Korea’s cyber army.
Others soon verified Google’s findings, and the U.S. later publicly blamed North Korea for the attack.
Mr. Huntley said the episode represents only a part of his team’s ambition. Internally, they have a range of other security tools, all integrated into a single threat-dashboard called Nirvana. “Our goal is to understand everything about these threats and make it accessible to everyone at Google,” he said.
Corrections & Amplifications
The Google+ bug that exposed data of 52 million users was disclosed after The Wall Street Journal reported about another Google+ bug. An earlier version of this article incorrectly stated that the Journal report was about the bug affecting 52 million users. (Jan. 23, 2019)
Write to Robert McMillan at Robert.Mcmillan@wsj.com
Appeared in the January 24, 2019, print edition as ‘Google Team Seeks to Keep Data Safe.’This post was originally published here